Remote Code Execution Vulnerability in Craft CMS by Craft
CVE-2025-68454

5.2MEDIUM

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
5 January 2026

What is CVE-2025-68454?

Craft CMS is susceptible to a vulnerability that allows authenticated users to execute malicious code remotely. This issue arises when versions 5.0.0-RC1 to 5.8.20 and 4.0.0-RC1 to 4.16.16 are used in environments where the 'allowAdminChanges' setting is enabled or when non-administrators can access specific resources. Attackers can exploit this flaw by injecting crafted payloads using the Twig map filter in text fields configured to accept Twig input, which could lead to unauthorized execution of code. To protect against this vulnerability, users need to ensure they upgrade to versions 5.8.21 and 4.16.17, as recommended by security advisories.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.8.21 < 5.0.0-RC1, 5.8.21

cms >= 4.0.0-RC1, < 4.16.17 < 4.0.0-RC1, 4.16.17

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/d82680f4a05f957688...
x_refsource_MISC
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#582...
x_refsource_MISC

CVSS V4

Score:
5.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68454 : Remote Code Execution Vulnerability in Craft CMS by Craft